Social engineering. Hackers know people – and systems – will trust someone with the right information. Attackers scan your organization, personal websites and social media accounts to learn about your organization’s hierarchy and terminology and even speech patterns and nicknames of executives.

Defense: Set guidelines about what’s safe to share and encourage employees – especially high-level ones – to lock down their social media accounts. The world doesn’t need to know that your first pet’s name and street you grew up on is your movie star name – and yet hackers do! Now they have two likely answers to those security questions you use for password recovery. D’Oh!

Spoofed email. Sophisticated cybercriminals create emails that look like they’re from a trusted sender by using URLs that are a letter or two off, or that contain special characters or spacing to resemble the correct information at a glance. After they gain our trust this way, attackers ask for our login information – and we give it!

Defense: Train employees to look for telltale signs of a spoofed email, and teach them tactics to avoid falling for them. Strengthen your defenses with a technology solution that deep-scans inbound emails for header anomalies, similar domains, and other “tells” that may be overlooked by even the most eagle-eyed human.

Password cracking. Even if you’re using hash passwords, credentials may be at risk. Low-level hashing can be easier to decode – and once hackers have figured out your hashing algorithm, they unleash “dictionary attacks” to test-drive words and known passwords from previous breaches until they find the right inputs.